CVE-2025-54690 WordPress Xinterio Theme <= 4.2 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in themeStek Xinterio allows PHP Local File Inclusion. This issue affects Xinterio: from n/a through 4.2...

CVE-2025-54680 WordPress Blogger Buzz Theme theme <= 1.2.6 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in sparklewpthemes Blogger Buzz blogger-buzz allows Stored XSS.This issue affects Blogger Buzz: from n/a through = 1.2.6...

CVE-2025-24766

CVE-2025-24766 : WordPress News Magazine X (WP Royal Themes) has an LFI flaw in PHP due to improper control of filenames for include/require. Affected: News Magazine X

CVE-2025-32288 WordPress RT-Theme 18 | Extensions plugin <= 2.4 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows PHP Local File Inclusion.This issue affects RT-Theme 18 | Extensions: from n/a through = 2.4...

WordPress WP Rentals Theme <= 3.13.1 is vulnerable to Cross Site Scripting (XSS)

Software WP Rentals Type Theme Vulnerable versions = 3.13.1 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-53330 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID be5ed984cceb Credits Ananda Dhakal Patchstack Required privilege...

PT-2025-33149 · Wp Royal Themes · News Magazine X

Name of the Vulnerable Software and Affected Versions: WP Royal Themes News Magazine X versions through 1.2.37 Description: A flaw exists in WP Royal Themes News Magazine X related to improper control of filename for include/require statements, leading to a PHP Local File Inclusion issue. This...

CVE-2025-8891 OceanWP <= 4.0.9 - 4.1.1 - Cross-Site Request Forgery to Ocean Extra Plugin Installation

The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwpnoticebuttonclick function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a forge...

CVE-2025-8891 OceanWP <= 4.0.9 - 4.1.1 - Cross-Site Request Forgery to Ocean Extra Plugin Installation

The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwpnoticebuttonclick function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a forge...

CVE-2025-7726

The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description'...

WordPress The7 Theme <= 12.6.0 is vulnerable to Cross Site Scripting (XSS)

Software The7 Type Theme Vulnerable versions = 12.6.0 Fixed in 12.7.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-7726 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 79f4fdafca8f Credits Webbernaut Required privilege...

CVE-2025-7726

The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description'...

CVE-2025-7726 The7 <= 12.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via title and data-dt-img-description Attributes

The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description'...

CVE-2025-7726

The7 theme for WordPress (

PT-2025-32438 · WordPress · The7 Theme

Name of the Vulnerable Software and Affected Versions: The7 theme for WordPress versions prior to 12.6.1 Description: The The7 theme for WordPress is susceptible to Stored Cross-Site Scripting through its lightbox rendering code. Insufficient input sanitization and output escaping allow the theme...

WordPress Xinterio Theme <= 4.2 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Xinterio versions = 4.2...

CVE-2025-8595

Summary of CVE-2025-8595 (Zakra WordPress theme) : The Zakra theme is vulnerable to unauthorized data modification due to a missing capability check in welcome_notice_import_handler(), affecting all versions up to 4.1.5. This allows authenticated attackers with Subscriber-level access and above t...

WordPress plugin Zakra 安全漏洞

WordPress Zakra is a WordPress theme known for its power, compatibility and lightweight design, suitable for creating personal blogs, business websites, WooCommerce stores and more. WordPress Zakra suffers from an unauthorized modification vulnerability that stems from a missing...

PT-2025-32097 · WordPress · Betheme

Name of the Vulnerable Software and Affected Versions: Betheme theme for WordPress versions prior to 28.1.4 Description: The Betheme theme for WordPress is susceptible to Stored Cross-Site Scripting through an Elementor display setting. Insufficient input sanitization and output escaping allows...

WordPress Shopo Theme <= 1.1.4 is vulnerable to Arbitrary File Upload

Software Shopo Type Theme Vulnerable versions = 1.1.4 Fixed in N/A OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2025-31048 Patch priority Medium CVSS severity Medium 9.9 Developer Claim ownership PSID 148bf5acafb9 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

Exploit for CVE-2025-5394

CVE-2025-5394 – WordPress Alone Theme = 7.8.3 - Unauthenticat...